Access hashed mysql password from python

Question

This seems somewhat trival but I have spent a bit of time googling with no results. Anyways I am developing a web app and I need to store 'sensitive' data in a mysql database and then access it to authenticate api calls from python. I am no security expert but I have a basic understanding of hashing and encrypting.

I know how to encrypt the data with aes_decrypt aes_encrypt and I also know how to hash the data using the password() function supplied by mysql.

My first question is should I be encrypting this data or hashing it? My second question is I do not know how to 'access' or 'use' the password information in python once I hash it using the password() function in mysql.

Any help is much appreciated.

Answer 1

Firstly I am no python expert, my answer is only aimed for a general approach.

Passwords in web applications are usually stored as hashes, not encrypted, this basically makes it harder for someone to get them if your table is compromised. Hashes should be generated as solid as possible. Please do not just a MD5, better use something more secure (from todays perspective) and salt it properly to minimize the risk of rainbow attacks.

I wouldn't use the MySQL Password() function for this. The documentation says:

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead.

This leaves SHA2() , if you want to hash with MySQL, though don't forget to salt the string before hashing. My way of doing it would be to hash the string with your application (see python hashli b for reference), salt it like this and then just store the hash in the database. This avoids security issues of your data between your application and the database server.